[Samba] Share access permission errors after upgrade from 4.12.14

unraidster unraidster at protonmail.com
Wed Jan 24 17:31:46 UTC 2024 

On Wednesday, 24 January 2024 at 10:51, Rowland Penny via samba <samba at lists.samba.org> wrote:

> I rearranged the smb.conf above and added comments:
>
> [global]
> netbios name = Tower
> server string = Media server
> security = USER
> workgroup = WORKGROUP
> bind interfaces only = yes
> interfaces = 192.168.66.10/24 127.0.0.1
>
> # we don't do printers
> show add printer wizard = No
> disable spoolss = Yes
> load printers = No
> printing = bsd
> printcap name = /dev/null
>
> # log stuff only to syslog
> logging = syslog at 0
>
> use sendfile = Yes
>
> hide dot files = no # why ? You do not usually need to see them.
> server multi channel support = no # reasonable, your unraid device probably only has one network device.
> max open files = 40960 # why ? You shouldn't need to touch this.
> multicast dns register = No # why ? netbios is turned off below, might be a good idea to use Avahi.
> disable netbios = yes
> server min protocol = SMB2 # This is the default and has been for quite sometime.
> map to guest = Bad User
> passdb backend = smbpasswd # The 'smbpasswd' backend was replaced years ago by the tdbsam backend.
> null passwords = Yes # This is just plain stupidity.
> idmap config * : backend = tdb # This and the line below are not required on a standalone server.
> idmap config * : range = 3000-7999
> create mask = 0777 # This and the line below would be better set in the shares.
> directory mask = 0777
>
>
> # disable aio by default
> aio read size = 0 # Why ? This could potentially slow things down.
> aio write size = 0 # Why ? This could potentially slow things down.
>
> # misc.
> invalid users = root # Old school, use acls.
> unix extensions = No # This is only here to allow the next line.
> wide links = Yes # Not a good idea, very insecure.
> host msdfs = No
>
> # ease upgrades from Samba 3.6 # Pardon ? 3.6 Died 8 years ago
> acl allow execute always = Yes
> # permit NTLMv1 authentication
> ntlm auth = Yes # Why ?
>
> # default global fruit settings: # Non of which will have any affect because non of the apple vfs objects are turned on.
> #fruit:aapl = Yes
> #fruit:nfs_aces = Yes
> fruit:nfs_aces = No
> #fruit:copyfile = No
> #fruit:model = MacSamba
>
> It is for a standalone server.
>
> Can you please join it to the domain and then post the new smb.conf , I
> am looking to see what the default idmap backend is for the domain.
>
> Rowland

Hi,

I assumed that the rearranged config you provided was for feedback, I haven't made any changes to the configuration based on those comments. I'll send a message to the Unraid support team with a link to this post when I get to an output with the issue.

I have been including outputs from testparm. I assumed that the command's output is the configuration that is used by smbd after the smb.conf and all included .conf files have been processed, like a resultant configuration. Is that correct? (wanted to validate that, that is the configuration that I should expect is used by the system and there isn't anything in the .conf files that could be modifying the configuration). I noticed that if I set a property to the default value (as specified in the man pages) that it would disappear from the testparm output, I assumed this is because testparm will "filter" out any properties with system default value.

The .conf exports and testparm output was from a clean install. I have joined the Unraid server to the same TESTLAB domain as my previous lab Unraid server. Please find the updated smb.conf below:

smb.conf:
	root at Tower:~# cat /etc/samba/smb.conf
	[global]
		# configurable identification
		include = /etc/samba/smb-names.conf

	# log stuff only to syslog
	logging = syslog at 0

	# we don't do printers
	show add printer wizard = No
	disable spoolss = Yes
	load printers = No
	printing = bsd
	printcap name = /dev/null

	# disable aio by default
	aio read size = 0
	aio write size = 0

	# misc.
	invalid users = root
	unix extensions = No
	wide links = Yes
	use sendfile = Yes
	host msdfs = No

	# ease upgrades from Samba 3.6
	acl allow execute always = Yes
	# permit NTLMv1 authentication
	ntlm auth = Yes

	# default global fruit settings:
	#fruit:aapl = Yes
	#fruit:nfs_aces = Yes
	fruit:nfs_aces = No
	#fruit:copyfile = No
	#fruit:model = MacSamba

	# hook for user-defined samba config
	include = /boot/config/smb-extra.conf

	# auto-configured shares
	include = /etc/samba/smb-shares.conf

Output from Testparm:
	root at Tower:~# testparm
	Load smb config files from /etc/samba/smb.conf
	lpcfg_do_global_parameter: WARNING: The "null passwords" option is deprecated
	Loaded services file OK.
	Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

	Server role: ROLE_DOMAIN_MEMBER

	Press enter to see a dump of your service definitions

	# Global parameters
	[global]
		bind interfaces only = Yes
		disable netbios = Yes
		disable spoolss = Yes
		host msdfs = No
		interfaces = 192.168.66.10/24 127.0.0.1
		ldap ssl = no
		load printers = No
		logging = syslog at 0
		max open files = 40960
		multicast dns register = No
		ntlm auth = ntlmv1-permitted
		null passwords = Yes
		printcap name = /dev/null
		realm = TESTLAB.COM
		security = ADS
		server min protocol = SMB2
		server multi channel support = No
		server string = Media server
		show add printer wizard = No
		smb1 unix extensions = No
		winbind use default domain = Yes
		workgroup = TESTLAB
		fruit:nfs_aces = No
		idmap config * : range = 10000-4000000000
		idmap config * : backend = hash
		acl allow execute always = Yes
		acl group control = Yes
		aio read size = 0
		aio write size = 0
		dos filemode = Yes
		hide dot files = No
		include = /etc/samba/smb-shares.conf
		inherit acls = Yes
		inherit permissions = Yes
		invalid users = root
		map acl inherit = Yes
		use sendfile = Yes
		wide links = Yes

I wasn't able to find the IDMAP lines in the smb.conf. Found them within the smb-names.conf file:
	root at Tower:~# cat /etc/samba/smb-names.conf
	# Generated names
	netbios name = Tower
	server string = Media server
	hide dot files = no
	server multi channel support = no
	max open files = 40960
	multicast dns register = No
	disable netbios = yes
	server min protocol = SMB2
	security = ADS
	workgroup = TESTLAB
	realm = testlab.com
	null passwords = Yes
	idmap config * : backend = hash
	idmap config * : range = 10000-4000000000
	winbind use default domain = Yes
	ldap ssl = No
	nt acl support = Yes
	acl map full control = Yes
	acl group control = Yes
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	dos filemode = Yes
	bind interfaces only = yes
	interfaces = 192.168.66.10/24 127.0.0.1

Please let me know if there any anything else to change/try/capture. Thanks,

Unraidster

More information about the samba mailing list